Apple Pay and PCI Compliance

Matt Getzelman, PCI Practice Director

A year ago, many retail cybersecurity discussions began and ended with PCI compliance. Today, after a gut-wrenching 10 months of data breaches stretching from mom-and-pop shops to category-leading brands, the discussions are broader, the risks are better understood and every link in the customer data chain is coming under newfound scrutiny.

The changed environment is obvious in the rollout of the new token-based Apple Pay system. On the one hand, this is simply an evolutionary step in the mobile payments space. It’s a big step, because when Apple makes a move into a new area, it typically becomes a massive driver of consumer pick-up and use. But mobile payments have been progressing for years and Apple is simply entering into territory that has already been pioneered by many others.

On the other hand, the specific way in which Apple has designed its new system to enhance data security and consumer privacy resonates with the market in a way that was unthinkable before the world changed. Mobile payments used to be about convenience – now they’re about security. (Although convenience will, in the end, determine whether the system takes off.)

Apple Pay will enhance security, at least for the transactions that are directed through it. The multiple layers of protection based on fingerprint identification, a dedicated chip to hold payment information, and a single-use payment “token” offer security that’s light years beyond the 1970s-era magnetic stripe that’s still used today for the vast majority of card-present transactions.

However, fraudsters adapt quickly to new technologies. When European card providers switched to more secure EMV / chip-and-pin systems, fraud quickly moved online, where the new technology provided no advantage.

At least in the short and medium terms, Apple Pay will not be The Solution to the data security challenges the retail and financial services industries are facing. If adoption grows, the number of transactions going through older technologies will decrease. On net, this will improve the security of the payments ecosystem.

However, the chicken/egg issue of consumer/merchant adoption means that retailers who weren’t part of the initial announcement can take a “wait and see” approach before investing in expensive new hardware to accept NFC-based payments. The most theoretically secure payment system in the world isn’t much help when consumers can’t actually use it.

For information security professionals, awareness of Apple Pay’s potential shortcomings is actually a good thing. We understand there are no silver-bullet solutions to achieving data security. After years of myopic focus on PCI compliance and EMV technology, it’s good that this same understanding is spreading out to consumers and up to the board room.

As video of the first transactions with Apple Pay show up on the evening news, retail CEOs have some serious discussions on their hands. Does the enhanced security of some transactions justify the costs of broader rollout? Can reduced risks and potentially lower transaction fees outweigh the loss of a treasure trove of customer payment information that powers loyalty programs and targeted marketing efforts?

The Year of the Data Breach has an impact on all these discussions. The days when security could be delegated to IT and forgotten are long gone. Cybersecurity now has a material impact on day-to-day operations, brand value and customer trust. If a better option becomes available, how long can a merchant decline to offer it?

Every organization needs to take a holistic approach to managing IT risk. That approach starts with basic questions like: What information do we have? Where is it? Who’s responsible for protecting it? And, in the worst case scenario, what happens if it’s compromised?

Apple Pay is an exciting new development and holds significant promise, but the industry is still going to need the PCI DSS, robust security programs and scope-reducing technologies like point-to-point encryption to protect traditional cards. Fraud always finds a way.

Matt Getzelman


Matt Getzelman — PCI Practice Director

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS